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Abstract 

Since -400 BC, when man first replicated flying 
behavior with kites, up until the turn of the 20th 
century, when the Wright brothers performed the first 
successful powered human flight, flight functions 
have become available to man via significant support 
from man-made structures and devices. Over the past 
100 years or so, technology has enabled several flight 
functions to migrate to automation and/or decision 
support systems. This migration continues with the 
United States’ NextGen and Europe’s Single 
European Sky (a.k.a. SESAR) initiatives. These 
overhauls of the airspace system will be 
accomplished by accommodating the functional 
capabilities, benefits, and limitations of technology 
and automation together with the unique and 
sometimes overlapping functional capabilities, 
benefits, and limitations of humans. This paper will 
discuss how a safe and effective migration of any 
flight function must consider several interrelated 
issues, including, for example, shared situation 
awareness, and automation addiction, or over- 
reliance on automation. A long-term philosophical 
perspective is presented that considers all of these 
issues by primarily asking the following questions: 
How does one find an acceptable level of risk 
tolerance when allocating functions to automation 
versus humans? How does one measure or predict 
with confidence what the risks will be? These two 
questions and others will be considered from the two 
most-discussed paradigms involving the use of 
increasingly complex systems in the future: “humans 
as operators” and “humans as monitors.” 

Nomenclature 

ATM Air Traffic Management 
ATS Air Transportation System 
FMS Flight Management System 
GNC Guidance, Navigation and Control 


NAS National Airspace System 

NextGen Next Generation Air Transportation 
System 

SESAR Single European Sky ATM Research 
SWIM System Wide Information Management 
UAS Unmanned Aircraft System 

1. Introduction 

Migration, found in all major animal groups, is 
a behavioral adaptation that promotes survival and 
growth. The triggers for animal migration involve 
environmental factors such as climate and food. 
Throughout time, conditions have existed that either 
obligated the migration of a species, or permitted 
voluntary migration in whole or in paid. 

The same migratory phenomena can be observed 
in the way humans utilize the airspace. Instead of 
tracking movements of a particular animal species in 
a geospatial environment, this paper discusses how 
airspace functions have changed and been enabled by 
movements, or migrations, from nature (biology) to 
human-centered mechanisms, to collaborative 
human-automation systems, and eventually to 
automation-centered systems. Although the airspace 
may be utilized for many functions, such as 
communication and transportation mediums, this 
paper will focus on its use to enable transportation. 
The air transportation system (ATS) function 
expands and contracts, but is generally consistent 
across time - enabling an entity to move from an 
initial point to a destination via the airspace. Unlike 
the migration of animal species, the ATS function 
migrates in techno-political environments. Significant 
changes in the techno-political environments are one 
of the major causes of such migrations or transitions 
of function enablers. Other causes can be innovation, 
learning, technology advancements, and demand for 
new and improved services or performance. 
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Figure 1. Ages of Air Transportation System Control 


For this paper, transitions to new “migratory 
periods” occur when the nature of control over the 
ATS function undergoes a substantial change in 
authority (i.e. who is in control). In [1], this is 
referred to as the “locus of control.” As previously 
mentioned, many conditions can trigger or affect 
these transitions. These include changes induced by 
the designer’s paradigm, new means for ATS agent 
collaboration, or the addition of new agents who 
would be involved in control authority whether they 
be human or autonomous agents. Throughout each 
age, functions migrate almost continuously at a small 
scale, to satisfy the designers and the control 
authority within a techno-political environment. 
Despite undergoing such small changes continuously, 
there are four distinct migratory periods, or “ages,” 
where a nearly steady-state control theme can be 
observed. These four ages of ATS control are 
denoted herein as: (1) Observation and Imitation, (2) 
Human-Centered, (3) Human-Automation 
Collaboration, and (4) Automation-Centered (Figure 
1 ). 

In recent years, the introduction and continued 
promotion of the Next Generation Air Transportation 
System (NextGen) in the US, and the Single 
European Sky ATM Research (SESAR) program in 
Europe, are pushing the global ATS function into 
increased use of automated and autonomous systems 
with integrated information networks that push 
system risks into new undiscovered areas [2]. These 
developments reinforce that we are currently in the 
early parts of the Human-Automation Collaboration 


age. This paper, targeted towards the community of 
ATS designers (e.g. architects, system safety 
specialists, technologists, policy makers, and 
certification authorities), among other things, raises 
questions about how to address safety during this and 
the next age - the Automation-Centered age. For 
example, how do we manage the sharing of 
responsibility for safety in ages where technological 
complexity has grown exponentially? Key aspects of 
the answer points to the importance of information 
and well-defined system requirements, as well as 
placing increased value on verification and validation 
of authority and autonomy boundary conditions, and 
on robust mitigations that can contain future risks 
given alternate roles for humans during design and 
operations. 

A. The Observation and Imitation Age 

The first age of ATS control was based on 
“observing and imitating.” In this age, humans first 
observed nature, that is, the insects and the birds, and 
later imitated this flight via various mechanisms and 
techniques. For example, around 400 BC, the 
Chinese developed kites that could fly [3]. These 
kites were the forerunners of balloons and gliders - 
all non-powered and dependent almost exclusively on 
nature (e.g. wind) to create lift. Leonardo daVinci in 
1485 first illustrated and created ideas of man 
carrying machines, mimicking animal flight. The 
brothers Joseph and Jacques Montgolfier invented the 
first hot air balloon allowing the first manned flight 
in 1783. Around 1800, Sir George Cayley created a 



glider capable of carrying a human. In 1891, German 
engineer Otto Lilienthal designed a glider that could 
fly a person long distances. The cumulative effect of 
all such inventions, and the lessons-learned during 
the flights, led to the transition from the Observation 
and Imitation age to the Human-Centered age of ATS 
control. 

B. The Human-Centered Age 

The second age of ATS control began around 
the turn of the 20 th century and was embodied by a 
fundamental shift from the previous age in that 
controlled human flight was now possible. The 
advent of powered flight meant that humans were no 
longer at the mercy of natural forces, such as wind or 
gravity, to achieve flight. Thrust and directional 
control could be accomplished by human pilots - 
with technology helping to accomplish this in cases 
where physical limitations existed. In 1901, Samuel 
Langley built the first successful flying aerodrome 
model propelled by an internal combustion engine 
that flew for nearly a mile. In 1903, the Wright 
brothers developed the “Flyer” with an engine 
propulsion system that allowed the first heavier -than- 
air human flight [4]. With this invention, humankind 
was now able to fly in the airspace with limited but 
effective control. The first aimed airplane added 
functionality by incorporating a machine gun in 
1912. Over time, innovators began to integrate 
electromechanical flight control systems to help 
human pilots control and manage aerodynamic 
performance (e.g. ailerons and elevators). This 
integration of flight -related functions also helped to 
efficiently optimize competing factors of 
performance and cost. 

In 1914, the notion of automation was first 
introduced in the ATS when Lawrence Sperry's 
automatic gyrostabilizer led to the first “automatic 
pilot” [5]. Automation technology at this time added 
both functionality and complexity to the vehicle and 
suggested a possible replacement of human effort in 
the area of aircraft control. The first 
electromechanical flight simulator was introduced in 
1928 by Edwin Link [6]. Boeing developed a 
commercial airliner in 1933. Over the next few 
decades, aircraft and ground-based innovations and 
technologies created many new and expanded ATS 
functions and capabilities (e.g. radar, instrument 


landing systems, radio-based navigation aids, and 
transponders). 

Beginning in the 1950’s, with the advent of the 
transistor and “digital” computer systems, analog 
functions began to be replaced. This allowed for 
more integrated functionality and savings in power 
and weight. Autonomous and automated systems 
continued to expand in function (e.g. auto-throttles, 
anti-skid braking systems, auto-landing, and 
automated decision support systems that alerted 
humans to changing conditions). The increased use of 
automated systems throughout the ATS as well as the 
increased utility of these systems incrementally but 
significantly changed the relationship between 
humans and automation. The human role in the ATS 
moiphed as the automated system footprint 
expanded. In this age of ATS control, humans 
remained fundamentally in charge, although control 
(and authority) were beginning to be shared among 
the pilots and ground-based humans (e.g. air traffic 
controllers and airline dispatchers). In this age, 
humans are the designers and have ultimate authority. 
However, humans can decide whether or not to 
delegate this authority to automation under certain 
conditions. 

C. The Human-Automation Collaboration Age 

The third age of ATS control is initiated by a 
transition from human-centered control to a hybrid 
human-automation collaboration paradigm. 

Although aspects of the ATS involved such 
collaboration as early as the 1980’s, the clearest 
indicator of this age can be seen in the development 
and promotion of NextGen and SESAR. NextGen is a 
transformation of the National Airspace System 
(NAS) in the U.S. It includes a transition to increased 
use of satellite -based technology, an information- 
centric network infrastructure, and data link 
communications among aircraft and 
human/automated agents [2] . 

Both NextGen and SESAR are evolving the 
ATS through technological transformations and 
interoperability [7]. These transformations are 

transitioning airspace functions that were once the 
domain of ground personnel to ground-based 
computer systems and, in some cases, to the airborne 
systems. This transformation is also migrating 
functionality on the aircraft from the human pilot to 
computer-based automated systems. In early 2012, 



the US Congress passed a spending bill for the FAA 
allocating $64.3 billion for modernizing air traffic 
control systems while expanding airspace access for 
unmanned aircraft systems (UAS) by 2015. This 
means that drones will have access to US airspace 
currently reserved for piloted aircraft [8]. The march 
towards increased human-automation collaboration is 
obviously well-underway [9]. 

D.The Automation-Centered Age 

Though the far future is of course uncertain, 
projections of the current trend indicate that ATS 
control may eventually move from human- 
automation collaboration towards an automation- 
centered control paradigm. Transition to the 
automation-centered age will occur when ATS 
designers, for any number of legitimate reasons, have 
demonstrated and validated the ATS as a nearly fully 
autonomous system that can have practically all 
control authority. This age will represent a major 
shift from today’s small distinct cases of human- 
delegated authority (e.g. autopilot “modes”) towards 
authority given to automation by design and 
irrespective of pilot or controller delegation during 
flight. This future age should not be feared as long as 
prudence, due diligence and sound decision-making 
are used by those involved in the design (e.g. 
architects, system safety specialists, technologists, 
policy makers and certification specialists). 

Because airspace capacity and the 
communication spectrum are limited and the techno- 
political environment can change dramatically, there 
are many uncertainties and risks associated with this 
future state. This paper will describe precautions that 
designers must address in order to reduce or control 
these uncertainties and risks. Effective requirements 
analysis and the verification and validation of the 
new authority and autonomy constructs are just two 
of the critical areas that designers must understand in 
order to deliberately create harmonious and risk- 
mitigated ATS architectures that can enable this age. 

2. Impact of Technology Growth on 
Airspace Functions 

The ATS function can be decomposed by phase 
of flight into a set of basic sub-functions that include, 
for example, takeoff (lift, propulsion, control, 
navigation), fly in the airspace (guidance, navigation 



Figure 2. Requirements, Functions and 
Technologies 


and control, propulsion), landing, and taxi. Many 
different types of technologies can be employed to 
aid in performing these sub-functions efficiently and 
safely. Using systems engineering processes, 
requirements are developed, and technology is 
applied as needed to meet the requirements. 
Required performance of the sub-functions may be 
achieved by either hardware, software, people or 
procedures. A growth in technology capability over 
the past 100 years or so has provided a means of 
realizing and optimizing ATS functions and 
achieving performance and safety that was previously 
unattainable. 

A. New Technologies Expand , Consolidate or 
Replace ATS Sub-Functions 

As with all technological progress, some 
technologies revolutionize while others allow for a 
more incremental and subtle evolution, with both 
leading to older technologies or methods becoming 
obsolete. Examples of technology impacts in the ATS 
include the development of more efficient airframe 
structures which revealed the aerodynamics of flight 
(weight, lift and thrust), balloon structures which led 
to gliders and then controlled flight, the development 
of steam engines which led to jet-propelled aircraft; 
improvements in thrust which led to faster aircraft 
with improved performance; and ground 



infrastructure efficiencies that permitted improved 
communication, awareness of weather and situational 
awareness of air traffic. 

As new technologies become available, ATS 
designers look to improve efficiencies as long as 
safety can be maintained. New technologies typically 
reveal new capabilities that designers add to their 
systems thus allowing for new functions and an 
evolution of requirements (see Figure 2). Given the 
list of ATS sub -functions, new technologies have the 
potential to augment or expand, integrate or 
consolidate, overlap or altogether replace old 
technologies. As an example of technology that 
expanded ATS functionality, the aircraft industry 
from 1950 to 1970 improved engine technology from 
the piston-propeller to the turbo-propeller and 
eventually to the turbojet engine [10]. These 
technology transitions augmented and expanded 
airline mission profiles over time. Simple piston 
technologies are utilized on smaller aircraft and are 
well-suited for relatively short missions while the 
more powerful and complex turbine engines 
travelling at higher speeds and higher altitudes are 
used to fly longer distances. 

As an example of how a substantially improved 
technology replaced predecessor technology, 
consider the transition to minicomputers in the ATS. 
Up to around 1961, vacuum tubes were used for ATS 
computing purposes. The first transition to transistor 
technology in 1962 resulted in much faster 
minicomputers. Within two years, integrated circuit 
technology provided astounding improvements over 
transistor technology [11]. This technology replaced 
its predecessor and allowed for expanded 
functionality in the ATS. Today, this form of 
technology assists or controls many of the ATS sub- 
functions. Improvements in this technology have led 
to autonomous and automated systems which can 
possibly even reliably perform tasks currently 
requiring human cognitive capabilities. 

B. The Limits of Technology and the Migration 
of Risk 

Despite the advantages provided by technology, 
all technologies have limitations. These limitations 
include the laws of physics, the combinatorial 
complexity of software when it comes to testing, 
trade-offs related to architectural design and function 
allocation, the implementation of non-functional 


requirements, economic considerations, integrating 
stakeholder inputs and political influence [12]. 
Technologies can also be hindered by developmental 
processes, certification, operational procedures and 
impediments from the organizational development 
team. Awareness of the pros and cons of technology 
must be considered - technology is not a panacea. 

From a systems engineering perspective, each 
new technology integrated into the ATS impacts the 
system-level risk profile. Some technologies force the 
risk to migrate to different sub-systems while other 
technologies simply distribute the risk differently. 
This is because new technologies produce changes in 
system/sub-system functionality. Risks associated 
with these functional shifts, if unmitigated or poorly 
understood, may lead to unacceptable or 
unanticipated changes in system-level risk. 
Mitigations that were once satisfactory may be 
insufficient once a new technology replaces an older 
one. Awareness of risk migration caused by changes 
in technology should be a primary consideration and 
driver for those involved in ATS design [13]. 

3. The Best of Both Worlds 

In the complex relationship between humans and 
automation, trade-offs are both necessary and 
challenging. This is particularly true when assigning 
roles, responsibilities and authority to human and/or 
automated agents. In [9], several design metaphors 
regarding these issues are described. Both humans 
and automation can co-exist in many different 
configurations, even within any of these design 
metaphors. According to the perspective provided in 
Figure 1, as we transition to new migratory ages, the 
ATS designers will have increased responsibility for 
safety and performance; while humans involved in 
operations (e.g. pilots) will have less 
responsibility/authority. As the transitions occur, 
clear, complete and consistent requirements; 
limitations and constraints for technology; and 
humans and system safety are essential 
considerations for the realization of to safe and 
effective designs. 

A. The Limits of Aviation Safety 

There are limitations to safety when the ATS 
relies on decisions from, and interactions between, 
humans and technology. Technology, as described 
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Figure 3. Technology Interaction/Coupling Chart 


earlier, can be limited by laws of physics, testing 
complexity, fabrication/development constraints, 
cost, and even political will in some cases. Humans, 
in similar fashion, also have limits which can be 
cognitive and/or physiological. In the age of human- 
centered ATS control, the prevailing theme declares 
that pilots are the final authority for a flight and are 
responsible to monitor the aircraft and the 
environment and take corrective steps if automation 
or any other system malfunctions. In this role, human 
capabilities are often perceived as both the greatest 
constraint to safety and the greatest enabler of safety. 
Humans (in this case pilots and air traffic controllers) 
have decision-making authority that can directly 
determine the outcome of the flight. This sentiment 
remains true in the age of human-automation 
collaboration [14]. However, in the age of 
automation-centered ATS control, the limits of 
aviation safety will be determined almost solely by 
the human designers. In general, the limitations of the 
individuals and organizations with critical decision- 
making authority regarding design decisions will 


induce limitation on the ATS. Furthermore, almost all 
of the operational risk will move to designers, and in 
particular those involved in the verification and 
validation of designs. 

Part of the reason these limits are manifest is the 
interactions and coupling of sub-systems within the 
ATS. Figure 3 shows the interaction/coupling 
technology chart developed by Charles Perrow [15]. 
According to Perrow, “aircraft” technologies are 
considerably more complex and tightly-coupled than 
“airway” technologies. Written in 1984, Perrow’s 
classification of “aircraft” and “airway” was 
developed in the context of human-centered airspace 
control. By considering NextGen- and SESAR-like 
concepts that promote more complex technologies in 
the ATS, we can project where these advancements 
will lie on Perrow’s mapping (Figure 3) and for the 
ages in Figure 1 . As described by Perrow, the 
interaction between the elements of a device is 
considered complex if there are many alternative sub- 
tasks at any point in its execution. It is considered 


linear if it is comprised of a set of fixed steps carried 
out in sequence. The coupling dimension describes 
the extent to which an action is related to its 
consequences. Such a system is said to be tightly- 
coupled if consequences are linked closely with 
actions. In other words, minor slips in tightly-coupled 
systems can quickly become accidents. By contrast, 
in loosely-coupled systems, the link between an 
action and its consequences is less clear. These 
systems tend to be more forgiving of errors. These 
two dimensions form Perrow’s interaction/coupling 
space with which technologies can be classified [16]. 
Using Perrow’s initial placement for “aircraft” and 
“airway” for human-centered airspace control (items 
A in Figure 3), we consolidate both into an 
“airspace” technology data point which represents the 
increased coupling and complex interactions brought 
about by NextGen- and SESAR-like concepts. The 
item labeled “B” represents the move to the age of 
human-automation collaboration while item “C” 
represents the move to the age of automation- 
centered ATS control. These estimated placements 
are sure to be adjusted as safeguards and 
redundancies are designed into future ATS 
architectures. 

B. The Automation Addiction Phenomenon 

Because of the way in which designers have 
prescribed the interaction between humans and 
automation, and their respective roles, a condition has 
emerged known as “automation addiction” [17]. 
Closely related to this phenomenon is complacency, 
which can be an outcome of automation addiction, 
and the level of engagement, which can be a 
contributing factor. Automation addiction occurs 
when pilots abdicate or delegate too much 
responsibility to automated systems, and over time, 
there is a weakening in their response effectiveness to 
emergencies or unexpected circumstances. 
Automation addiction, which is an over-reliance on 
automation, can also diminish effective use of 
electromechanical systems because human skills need 
to be practiced to prevent atrophy. Billings and others 
have referred to this condition as the “automation 
paradox” [18]. In the future where increased levels of 
automation are expected, designs will be even more 
vulnerable to this phenomenon. Effective mitigation 
will depend on understanding the dynamics of this 
automation addiction in order to impart more 
effective solutions. 



Figure 4. Dynamics of Automation Addiction 


System dynamics models [19] utilize a variation 
of the shift the burden archetype to explain the 
dynamics and solutions to automation addiction [20]. 
Figure 4 depicts such a system dynamics model that 
represents the dynamics of automation addiction with 
humans. The arches represent positive (“+” 
increasing) or negative (“-” decreasing) influences 
between variables or objects. Clocks represent delays 
and “B” and “R” represent balanced and reinforcing 
loops, respectively. 

Referring to Figure 4, the dynamics of 
automation addiction can be explained as follows. A 
problem exists for the pilot during a flight and is 
manifested as a symptom, or set of symptoms. The 
example shown is that there is too much information 
or complexity for the pilot to effectively perform a 
required task. This problem can be solved via 
multiple courses of action. One course of action, the 
symptomatic solution (i.e. increase automation) has 
an apparent advantage over a more fundamental 
solution (i.e. reduce complexity of the design) 
because of delays in facilitating a design change. As 
a result of too much information or complexity, 
automation is added to manage the complexity for the 
pilot and attempt to keep him aware of the situation 
using more abstracted feedback. A short-term 
symptomatic solution obviates the need to pursue the 
more fundamental solution of reducing complexity 
by design. However, the inability to work on the 
fundamental solution ensures that the problem 
symptom will return. 


Additionally, implementation of symptomatic 
solutions, in time, can create unintended side effects 
(e.g. a viscous cycle of increasing pilot reliance on 
automation) which over time works against 
implementing the fundamental solution of reducing 
complexity by design. Compounding this problem is 
that over time, as pilots rely more on automation, 
skills at non-automation supported tasks may atrophy 
[21], This in turn places an added burden on training 
to reduce risk. The most obvious example of such a 
situation is the evolution of today’s auto-flight 
systems, their various “modes,” mode transitions, and 
the requisite enabling Flight Management System 
(FMS) and its interface. 

When the dynamics of the addiction cycle are 
taken to the extreme, one of two possible conditions 
occur. First, application of symptomatic solutions 
leads the pilot to be totally dependent on the 
automation. The pilot, in this case, has unwittingly 
turned over control and authority to the automation 
via small incremental decisions. Second, application 
of the fundamental solution to reduce complexity by 
re-design leads to healthy, beneficial interaction 
between humans and automation. In either case, it is 
the designers that ultimately face the challenge of 
choosing a particular point design across this span of 
possible solutions. 

C. The Designer’s Dilemma - Human 
Automation Functional Allocation 

As new technologies are developed and 
integrated in the ATS, it is incumbent on designers to 
architect systems that balance the risks and 
limitations of automation, technology and humans in 
order to achieve system safety and mission success 
goals. These decisions include the appropriate use of 
technology, the level of interaction between the 
human and automation, the degree to which safety 
can be impacted by hazards, faults, and desirable 
mitigations to control deleterious and unwanted 
behaviors. One of the primary means of architecting a 
system appropriately is first determining the needs, 
goals, and objectives (Figure 2) envisioned for the 
human, the automation, and the system as a whole. 
This step is also often called requirements 
development and analysis. One way of viewing 
human-automation design space is discussed in [1] 
and is based upon a two-dimensional space wherein 
one dimension is the “locus of control” and the other 


is “roles and responsibilities.” In this construct, the 
degree to which humans and/or automation will 
provide functionality and control of the system can 
be represented at a high level. At the extremes of the 
“locus of control” axis are ground-based control and 
aircraft-based control; while the extremes of the 
“roles and responsibilities” axis are humans as a 
active operational decision-makers (e.g. pilots) versus 
humans as monitors/managers of systems during 
operations. 

Deliberate and Essential Designs 

Deliberate and essential designs are those 
designs where adequate forethought, analysis, and 
protections have been applied during design, 
development, and testing. Deliberate and essential 
designs strike an appropriate balance between 
humans and automation (thus reducing the likelihood 
of automation addiction) and regulate the flow of 
new technology into the system thus mitigating risks. 
One significant way of achieving deliberate designs 
is the use of a diverse set of designers who are 
comfortable exploring and analyzing in particular the 
uncertainties in the unknown unknowns [22], 

There are many processes and tools (e.g. 
integrated hazard analysis [23]) that have been 
created to aid in producing deliberate and essential 
designs. Only two will be discussed here. They are 
effective requirements analysis, and verification and 
validation methods for authority and autonomy 
allocation. 

Effective requirements analyses are necessary to 
create deliberate designs. Since the introduction of 
computing systems, much of the functionality of 
enabling airborne and ground-based systems is 
performed by the software. Raytheon found that 
approximately 40% of the total budget for their 
software projects was rework [24], Bell Labs and 
IBM studies have determined that 80% of all product 
defects are inserted in the requirements definition 
stage [25]. In general, rework consumes 40 to 50 
percent of software project budgets. This means that 
requirements errors can consume up to 42 percent of 
total software development resources. Therefore, 
effective requirements analyses reduces errors, 
improves safety, reduces costs and embody trade-offs 
necessary for balanced designs. Further, design trade- 
offs have significant impact on the complexity of the 
overall system. For example, with respect to 
information management in the ATS, integrated 



versus segregated design trades impart coupling and 
interactions on the ATS infrastructure: segregated 
designs reduce coupling of information and increase 
redundancy, whereas integrated designs increase 
coupling between airborne and ground-based 
systems. This coupling tends to increase complexity 
due to data fusion and filtering that obscures raw 
sensor data. 

Verification and validation of new authority and 
autonomy constructs will increase in importance as 
more ATS sub-functions transition from human- 
centered control to human-automation collaboration 
and eventually to automation-centered control. 
Critical verification and validation assurance methods 
must support designers in creating deliberate and 
essential designs. These methods must also uncover 
vulnerabilities that may otherwise result in accidents 
or unexpected behaviors. As NextGen- and SESAR- 
like concepts mature and push the air traffic 
management toward more human-automation 
collaborative designs, the stress on verification and 
validation will grow to ensure the behavioral integrity 
of the collaborative aspects, particularly in situations 
where the collaboration may be between several 
human and automated agents. Such collaborative 
systems may be used for aspects of flight path 
management, four-dimensional trajectory negotiation 
and collision avoidance. 

It is expected that verification and validation 
techniques can be leveraged in the commercial ATS 
from developments and experiences in the military 
sector. In the future, it is expected that military UAS 
operations will have a much larger portion of ATS 
operations. Automation and authority management 
will be taken more quickly into the automation- 
centric age. Verification and validation of these new 
constructs will be addressed here first and the lessons 
learned can then be transferred to the commercial 
sector as has been done many times in the past (e.g. 
the introduction of radar following World War II) 
[ 26 ], 

In the age of automation-centered airspace 
control, the integrity of the system will rely on agile 
verification and validation processes to ensure the 
safety of crewed and unmanned aircraft. The push for 
expanded UAS use in civil airspace will drive the 
need for new and innovative verification and 
validation techniques to reduce system level risks. 


Accidental and Negligent Designs 

Accidental and negligent designs are designs 
that are developed haphazardly without much 
forethought into unintended consequences, or 
preventing unwanted system behavior. These system 
designs are characterized by negligence where faults 
and unsafe conditions have crept in due largely to 
carelessness, or a rush to product. Much of the human 
effort here is used to mitigate damage from 
unobservable system states caused by inadequate 
design practices. In a worse-case scenario, designers 
may have inadvertently created an environment 
where emergent sentient autonomous systems can 
gain airspace control. This and other deleterious 
conditions can be the result of negligence, but more 
often result from a lack of understanding of the 
complexity of the system and interactions between its 
components. 

D. Should the Pilot or the Designers Bear 
Ultimate Responsibility for Safety of Flight? 

In the current world of increasingly complex and 
disparate systems that enable the ATS, how does one 
determine whether the pilots or the designers should 
be held ultimately responsible for the safety of a 
flight? The answer of course depends on the context 
and puipose, or intended function, of the design. For 
example, in the human-centered age of ATS control, 
the pilot has primary responsibility for the aircraft 
and is the final authority. The designer has primary 
responsibility for the correct operation of the systems 
that support him. This remains the case, to date, in 
the age of human-automation collaboration, although 
the pilot can, and does, delegate authority to 
automation in many circumstances (e.g. auto-land). 
However, in the postulated future age of automation- 
centered ATS control, the designer will have ultimate 
responsibility for all aspects of safety. The human 
will have much less capability to intervene, or re-take 
authority. 

E. Designing for Humans as Operators 

The ATS control ages provide broad and 
discrete contexts by which to analyze the roles that 
humans and automation will perform. Humans, as 
operators of the ATS, form the basis for the age of 
human-centered ATS control, and this paradigm 
remains largely in place today, although the transition 
to the Human-Automation Collaboration age is also 



well underway. As human operators, pilots have 
authority for the aircraft while controllers and 
designers have authority over the airspace and 
systems that enable the ATS function. Given the 
active and engaged role of humans, designs are not 
only required for technological elements, but also the 
training and procedural requirements. For the ATS to 
be safe and effective, each of these designs must be 
well thought-out and thoroughly tested (i.e. a 
deliberate and essential design). Unfortunately, this 
has led to a very complex system of systems that is 
inflexible in many ways, and difficult to change 
beyond small incremental steps. 

As we transition even more into the age of 
human-automation collaboration, human operators 
require a more intimate knowledge of the spectrum 
and dynamics of the automated systems that they are 
collaborating with. Humans will need to understand 
the technology limitations so that they may take 
control during times of uncertainty, or when the 
automation fails. Humans need to understand the 
inadequacies of automation to ensure that humans 
will be available, and trained, to operate in these 
system states. This includes the situation of both 
UAS and crewed aircraft procedures, mitigations and 
contingencies. Designers should have a sound 
understanding of the functional allocation (including 
overlap) between humans and automation in order to 
fully inform the operator during times of 
emergencies. Locus of control issues must be fully 
understood, and pilots/controllers should directly 
collaborate with designers during the design phase. 

Finally, in the age of automation-centered ATS 
control, designers will hold primary responsibility for 
performance of the ATS. This will include 
automation that is flying the aircraft and controlling 
airspace access. Though humans will continue to 
operate as pilots here, they will have a much different 
role and we can expect much fewer in number 
relative to the number of aircraft (possibly due to an 
increase in UAS). Verification and validation 
techniques for complex systems of systems will need 
to reach an unprecedented level of sophistication to 
ensure safety and integrity. 

F. Designing for Humans as Monitors 

As stated earlier, in the age of human-centered 
ATS control, the human pilot has ultimate authority 
over the aircraft during operations. However, the 


pilot may, and does, delegate authority to automation 
in many circumstances. Once authority is delegated, 
the pilot is responsible for monitoring the 
performance of the automation to assure it performs 
its intended function and to reclaim authority should 
the automation fail. This system is extremely safe due 
to rigorous verification and validation processes and 
well-defined procedures and training. However, it has 
been shown that humans are not good at monitoring, 
in general. Therefore, vigilance to the task and active 
engagement is essential. 

In the age of human-automation collaboration, 
the monitoring role will grow in many respects; 
however, there will be the added complexity of new 
modes of dialog and negotiation (i.e. collaboration). 
The delegation of authority to automation will be 
more fluid, frequent, and bi-directional [9]. 
Monitoring may involve consent to state changes and 
critical decisions, acknowledgements of system 
intentions and support for mutual awareness of faults, 
failures, or other conditions. Because humans may 
fluidly transition back and forth between operator and 
monitor, cognitive and mechanical flying skills will 
need to be honed and maintained in new ways. 
Designers in this age will need to have a full 
understanding of any and all state transitions, and 
include intuitive mechanisms for humans to observe 
these. Even closer relationships between the 
designers and the human monitors will be required to 
increase operational awareness and understanding. 

In the age of automation-centered control, the 
predominant human function during operations will 
be that of a monitor for automation that will have 
authority for aircraft flight. The human in this 
scenario is in a predicament because it will be 
difficult to keep their flying skills current in an age 
that has little demand for this expertise. Human 
monitoring in this age will be “automation addiction” 
by design. In other words, we will be completely 
dependent on automation for many/most situations 
and conditions. In this age, pilots should have a close 
relationship with the designers who will have 
ultimate authority to constrain and exploit automation 
weaknesses if the need ever arises. In this age, one 
can envision a set of remote pilots who are available 
to step in under rare conditions where automation 
may have failed, but has failed to a safe state (e.g. a 
holding pattern). 



4. Conclusions 

As the ATS continues to expand, functions that 
were once solely dedicated to humans are slowly 
migrating towards automated systems. This paper 
takes a broad philosophical perspective in defining 
ages of ATS control from prehistory, when mankind 
observed and imitated the flight of birds, to the 
current age of powered flight where pilots have 
authority for safety of flight. Looking now and into 
the near future, an age of human-automation 
collaboration is apparent wherein humans are still in 
control and have authority during flights, but several 
functions are delegated to automation, while others 
are collaboratively decided. In the far future, an 
automation-centered age can be anticipated where the 
ATS is designed to be largely automated and this 
same automation is given authority with regard to 
control decisions affecting safety. Collectively, these 
migratory ages and the transitions between them 
provide a set of contexts by which to analyze 
functions, either at a high-level conceptual scale, or 
at lower-level scales. From this perspective, ATS 
sub-functions have been continuously moving from 
nature to humans to autonomous systems. This 
functional migration is very similar to the migration 
of birds and bison in that survival is predicated on 
finding an environment that permits them to flourish. 
Birds and bison move in a geospatial environment 
whereas functions move in a techno-political one. 
Each step of the migration involves numerous 
individual and collective decisions by the designers. 
Further, it is the designers who will knowingly or 
unknowingly push the ATS into paths of 

sustainability (deliberate designs) or unsustainability 
(negligent designs) by the growth and infusion of 
technology in the ATS infrastructure. Awareness of 
these contexts can help designers discern beneficial 
trade-offs, despite human and technological 

limitations, as they prepare to take the ATS into 
unprecedented new territory. 
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